In each cell of your body, you have instructions that specifically describe what you look like and how you function. These copies of information are our DNA (deoxyribonucleic acid) and in total, make up your genome, which is specific to each person. One copy of our DNA is comparable to 700 mB and the information we can get from that data is staggering. For example, we can learn about learn about migrations throughout human history, ancestry, disease risk, and personalized medical treatments. But, as Uncle Ben once told Peter Parker, “with great power comes great responsibility.” A deep understanding of genomic data has enormous potential, most notably in the medical field where it can be used for highly personalized diagnoses and treatments. However, one of the rising questions and challenges in this age of genomic data is how to best protect this highly personal data.

Current practice puts genomic data under the same protections as all other health data, a framework known as HIPAA (Health Insurance Portability and Accountability Act) which was enacted in 1996, 7 years before the human genome was actually sequenced. In 1996, genomic data was not a part of medical practice and laws enacted at this point could not have foreseen the technological advances we’ve made. A revision that included electronic handling of medical data was made effective in 2003. HIPPA requirements specifically lay out how medical data is used and protected: who can access your information and under what conditions they may see it, how employees at workplaces using sensitive data must be trained, authorization needed to see the data, plans for backing up and protecting data, and more. These policies and procedures drive authentication and authorization practices that you may experience at your doctor’s office, like signing forms authorizing use of digital data or using your birthdate to verify your identity. Despite the current security measures, there is increasing concern that there are opportunities for this data to be hacked. Some healthcare providers and companies may be doing better than others and current policies may not have taken additional advances in technology since 2003 into consideration.

Security gaps are particularly problematic as healthcare becomes more dependent on genomic information. Our genomes (the sum of all your DNA instructions) is unique to you, similar to your fingerprint or retinal scan, and cannot be changed. This is unlike other personal and unique information that we use to identify ourselves. “There’s a lot of things you can do if you have identity theft around your financial records, where you live, your home, your phone number. Those things we can change- we can’t change your DNA!” says Dan Lohrmann, a cyber security expert who works with companies and organizations to identify and correct holes in their security. DNA is the ultimate self-identifier, making it difficult to repair damage caused by security breaches. Hacks that recover genomic data have several repercussions. First, genomic data could potentially be used to deny your access to an activity or role you may want to participate in. For example, insurance companies using uncovered genomic data might attempt to deny you access to health insurance based on an increased risk for a disease. Jobs may be denied for similar reasons. Second, genomic data could be used to unmask previously anonymous data. In large hacks or through combined stolen information, anonymous data could be pieced together to form a complete picture of your identity. This wholistic dataset could be used to access more information. Stolen data could be used to get through biosecurity (e.g. fingerprints) or questions used in two-factor authentication (e.g. What was your first address?). Third, accurate and effective healthcare is dependent on accurate data. Security holes in healthcare provider frameworks may be vulnerable to mishandling of data. Genomic data could get swapped or misinterpreted or misplaced which compromises effective treatments, leading to misdiagnosis and incorrect treatments.

Lohrmann describes working in cyber security as an arms race- “It’s like the Cold War in cyber security right now. The bad guys develop something…people uncover vulnerabilities or uncover a challenge, then a fix is applied, and then somebody else finds some other way to do it.” Right now, banks tend to be ahead of the curve, finding and repairing holes in their security within minutes. Hospitals and the medical field are beginning to catch up: spending and advances in their systems have picked up in the last few years. However, despite recent advances, it’s hard to keep up as technological needs are changing rapidly. Lohrmann predicts that over the short-term we are going to see data hacks making headlines. However, he says that this isn’t mostly likely the long-term outlook. He predicts that as medical providers are more aware of these challenges and we begin to understand the importance and vulnerability of this data, extra provisions will begin to evolve, for example, the possible creation of an extra protected layer beyond HIPA for this hyper-vulnerable data.

Despite the security risks and challenges that face us, genomic data has incredible potential and should not be ignored in favor of security ease. Advances in the usage of this data could unlock new and more effective cancer treatments or early identification and treatment of other diseases. Steps forward in this new area of treatment though, need to be matched with advances in the protections for the patients who health is being addressed. Yet, patients and consumers aren’t helpless or passive as providers want to use this data. Lohrmann charges medical patients and consumers of products who may use genomic data to think carefully about their information: “Don’t be afraid to ask tough questions, don’t be afraid to challenge the status quo, and you may be the reason that some new policy, procedure, or technology is put in place.” Read through the policies that you sign, both at the doctor’s office and for optional projects, like ancestry tests. Do your homework to understand who you are giving access to the data, how it’s used, and who it can get shared with. Ask what their authentication measure are, and if you’re not comfortable with them, opt out or ask for further protection. There may be new pilot studies or beta tests with these additional layers of security you can participate in. By thinking about and asking these difficult questions, you may be become a driving force in the push for better security and help open the door for continued and safe usage of genomic data. and help open the door to the use of genomic data.